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1 This application is submitted in the name of the following inventors: 
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3 Inventor 

4 McCloghrie, Keith 

5 Robert, Stephan 

6 Walrand, Jean 

7 Bierman, Andrew 
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% 9 The assignee is Cisco Technology, Inc. , a California corporation having an 

:jo office at 170 West Tasman Drive, San Jose CA 95 134. 
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"12 Title of the Invention 

P3 

fi4 Sampling Packets for Network Monitoring 

"15 

16 Background of the Invention 

17 

18 1. Field of the Invention 

19 

20 This invention relates to network monitoring. 

21 
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1 2. Related Art 
2 

3 In a computer network in which messages are transmitted and received be- 

4 tween devices, it is often desirable to monitor the nature and volume of communication 

5 traffic. For example, by noting the number of messages (or more detailed information 

6 about those messages) transmitted from selected source devices or to selected destination 

7 devices, it can be possible to obtain useful information about usage patterns of the net- 

8 work. One known set of network objects used for this purpose is called RMON ("remote 
:pj9 monitoring"). In known systems, a device coupled to and monitoring a communication 
□o link in the network generates these RMON objects. RMON objects are retrievable from 

1 the generating device using a known message protocol, such as SNMP (Simple Network 

i; i2 Message Protocol). 

-^14 RMON was originally conceived for monitoring OSI layer 1 and layer 2 

"15 communication. Accordingly, a first version of RMON (RMON1) was directed to col- 

16 lecting information and statistics primarily about packets between a source device MAC 

17 address and a destination device MAC address. A first version of RMON 1 was optimized 

18 in some respects for Ethernet LAN communication; a second version was optimized for 

19 token-ring LAN communication. RMON1 also included capabilities for capturing the 

20 contents of selected packets, and for setting alarms upon selected events (those events 

21 being distinguished for layer 1 and layer 2 communication). 

22 



2 



CIS-044 

1 A more recent version of RMON (RMON2) extends the monitoring capa- 

2 bilities to include more analysis of actual packets, including identifying layer 3, layer 4, 

3 and some application aspects of communication. For example, RMON2 includes capa- 

4 bilities for collecting information about usage of particular routing protocols (such as IP 

5 or IPX) and particular ports used at the source device or destination device (such as ports 

6 for FTP or HTTP transactions). RMON2 also differs from RMON1 in the number of 

7 communication links that are monitored by a single device. 

8 

\% 9 In parallel with the evolution from RMON1 to RMON2, another evolution 

I30 has taken place: early RMON applications using RMON1 were usually directed to moni- 

jAi toring probes, which monitor a single port of a switch. More recent RMON applications 

^12 using RMON2 are often directed to monitoring software that is embedded in a switch, 

IJH3 and therefore is contemplated to monitor several, preferably all, interfaces of the switch. 

! :? 15 One problem in the known art is that ability to monitor network traffic is 

16 not keeping up with the amount and speed of the network traffic itself. First, more recent 

17 versions of RMON result in an increase in the processing required for each packet. Sec- 

18 ond, it is desirable to monitor as many output interfaces as possible. Third, the bandwidth 

19 and wire speed of network interfaces is rapidly increasing due to advances in technology. 

20 All three of these effects require additional processing power in the monitoring device. 

21 
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1 One response to this problem is to select only a sample set of packets for 

2 monitoring, rather than attempting to process all packets transmitted over the monitored 

3 communication links. The sampled traffic would serve as a proxy for all traffic, to meas- 

4 ure the frequency of selected network events and to collect aggregate information about 

5 network traffic. United States Patent No. 5,315,580, titled "Network Monitoring Device 

6 and System", issued May 24, 1994, in the name of Peter Phaal, to assignee Hewlett- 

7 Packard Company of Palo Alto, California, shows one example of a sampling technique 

8 for monitoring. 

Oio Known sampling techniques achieve the purpose of collecting aggregate 
information about network traffic where the network transmission rate of packets exceeds 

1^12 the ability of the monitoring device to process those packets. However, these techniques 

0li3 suffer from several drawbacks. First, estimated frequency measurement for relatively in- 

'^14 frequent events can be subject to error and inaccuracy. Second, processor load for the 

U 15 monitoring device can vary wildly in response to network traffic load. When network 

16 traffic is relatively frequent, processor load is relatively heavy, and the monitoring device 

17 can fail to keep up with the network traffic. When network traffic is relatively infrequent, 

18 processor load is relatively light, and the monitoring device can be underused. 

19 

20 Accordingly, it would be advantageous to provide a method and system for 

21 collecting aggregate information about network traffic, in which processor load is rela- 

22 tively constant despite substantial variation in network traffic, and in which the accuracy 
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1 of frequency measurement can be improved even for relatively infrequent events, due to 

2 the ability to sample more frequently. This advantage is achieved in an embodiment of 

3 the invention that samples packets from network traffic adaptively in response to that 

4 network traffic, and measures frequency in response to either the sampling rate or the fre- 

5 quency rate of appearance in sampled packets, or both. 

6 

7 Summary of the Invention 

8 

:g9 The invention provides a method and system for collecting aggregate in- 

Qo formation about network traffic, while maintaining processor load relatively constant de- 

□ 1 spite substantial variation in network traffic, and capable of substantially accurate fre- 

f 12 quency measurement even for relatively infrequent events. A packet monitoring system 

iH3 includes an input port for receiving network packets, a sampling element for selecting a 

ZA4 fraction of those packets for review, and a queue of selected packets. The packets in the 

"15 queue are coupled to a packet-type detector for detecting packets of a selected type; the 

16 system applies a measurement technique for determining a frequency measure for those 

17 detected packets. The system includes a feedback technique for adaptively altering the 

18 sampling rate fraction, responsive to the queue length and possibly other factors, such as 

19 processor load or the detected frequency measure. 

20 

21 In a preferred embodiment, the measurement technique also determines an 

22 error range and a measure of confidence that the actual frequency is within the error range 
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1 of the measured frequency. The system can detect packets of multiple selected types, and 

2 provide measured frequencies and error ranges for all of the multiple selected types con- 

3 currently. Also 5 the measurement technique is selected so as to impose relatively little 

4 computational load per packet. 

5 

6 Brief Description of the Drawings 

7 

8 Figure 1 shows a block diagram of a system for collecting information 

:g 9 about packet traffic. 

□o 

pii Figure 2 shows a block diagram of a system for adaptively sampling pack- 

,=~12 ets. 

■%4 Figure 3 shows a process flow diagram of a method for adaptively sampling 

^15 packets and measuring expected frequencies for selected packet types. 

16 

17 Detailed Description of the Preferred Embodiment 

18 

19 In the following description, a preferred embodiment of the invention is de- 

20 scribed with regard to preferred process steps and data structures. Those skilled in the art 

21 would recognize after perusal of this application that embodiments of the invention can 

22 be implemented using circuits adapted to particular process steps and data structures de- 
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1 scribed herein, and that implementation of the process steps and data structures described 

2 herein would not require undue experimentation or further invention. 

3 

4 Sampling System Elements 

5 

6 Figure 1 shows a block diagram of a system for collecting information 

7 about packet traffic. 
8 

!g9 A system 100 for collecting information about packet traffic includes a 

Bio packet router or packet switch 110, a traffic management element 120, and a traffic in- 
formation database 130. 

jf*i3 The packet switch 110 includes a plurality of input interfaces 111 and out- 

%4 put interfaces 112. The packet switch 1 10 it is disposed to receive a sequence of packets 

; '15 1 13 at one or more of those input interfaces 1 1 1, and to output those packets 113 (possi- 

16 bly altered according to known packet rewrite rules) at one or more of those output inter- 

17 faces 112. Packet routers and packet switches 1 10 are known in the art of computer net- 

18 works. 

19 

20 The traffic management element 120 is coupled to at least one of the input 

21 interfaces 1 1 1 or output interfaces 1 12. (In a the preferred embodiment, the traffic man- 

22 agement element 120 is coupled to substantially all of the input interfaces 1 1 1 and to sub- 
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1 stantially all of the output interfaces 112.) The traffic management element 120 is dis- 

2 posed to receive substantially all of the packets 1 13 input to the packet switch 1 10 and to 

3 sample a fraction of those packets 113. Similarly, the traffic management element 120 is 

4 also disposed to review substantially all of the packets 113 about to be output from the 

5 packet switch 1 1 0 and to sample a fraction of those packets 113. 

6 

7 In alternative preferred embodiments, the traffic management element 120 

8 can be distributed within a plurality of devices, such that sampling of packets 113 occurs 
!n9 at the input interfaces 1 1 1 or output interfaces 112, while counting and analysis occur at 
Qo another logical location. In such alternative preferred embodiments, the portion of the 
!5 1 traffic management element 120 that actually samples input packets 1 13 marks each sam- 
T12 pled input packet 1 13 as a sample and forwards those sampled input packets 1 13 to an- 
fffo other portion of the traffic management element 120 for counting and analysis. Similarly, 
^14 the portion of the traffic management element 120 that actually samples output packets 
! ™15 113 marks each sampled output packet 1 13 as a sample, and forwards those sampled out- 

16 put packets 113 back to the traffic management element 120. Sampling and forwarding 

17 of output packets 1 13 does not actually output a duplicate packet 1 13 at the output inter- 

18 face 112. 

19 

20 Since it is advantageous for the traffic management element 120 to perform 

21 accurate counting and analysis, each sampled packet 1 1 3 (whether a sampled input packet 

22 1 13 or a sampled output packet 113) thus forwarded is labeled with a sequence number. 
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1 This allows the portion of the traffic management element 120 performing counting and 

2 analysis to avoid losing synchronization even if a sampled packet 113 is dropped after 

3 forwarding by the portion of the traffic management element 120 for sampling and for- 

4 warding. 

5 

6 The traffic management element 120 is coupled to the traffic information 

7 database 130. The traffic management element 120 is disposed to output the information 

8 it collects about sampled packets 1 13 to the traffic information database 130. The traffic 
%9 information database 130 is disposed to store that information and to output or present 
□o that information in response to a request message 131 from a device coupled to the net- 
■ J h 1 work (not shown) . 

^12 

mi3 In a preferred embodiment, the traffic information database 130 records the 

■yi4 information about sampled packets 113 in a known format, such as the RMON MIB for- 

: "15 mat, and the device coupled to the network communicates with the traffic information 

16 database 130 using a known protocol such as the SNMP protocol. The RMON MIB for- 

17 mat and the SNMP protocol are known in the art of computer networks. 

18 

1 9 Adaptive Sampling System 

20 

21 Figure 2 shows a block diagram of a system for adaptively sampling pack- 

22 ets. 
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A system 200 for adaptively sampling packets includes a packet input port 
210, a sampling element 220, a sampled packet queue 230, an adaptive sampling control- 
ler 240, a sampled-packet output port 250, at least one packet type detector 260, and at 
least one frequency measure element 270. 

The packet input port 210 is disposed within the traffic management ele- 
ment 120, and is disposed to receive substantially all of the packets 113 input to the 
packet switch 110. In those alternative embodiment where the traffic management ele- 
ment 120 is distributed in both a first portion for sampling and forwarding and a second 
portion for counting and analysis, the packet input port 210 is disposed within the first 
portion for sampling and forwarding. 

In alternative embodiments, the packet input port 210 may be disposed to 
receive only a selected subset of the packets 113 input to the packet switch 1 10, such as 
only those packets 1 13 using a selected protocol such as IP or a selected protocol at an- 
other layer such as HTTP. In further or other alternative embodiments, the packet input 
port 210 may be disposed to receive packets 113 output by (rather than input to) the 
packet switch 110. 

The sampling element 220 is coupled to the packet input port 210 and is 
disposed to sample one out of every N packets 113, where N is a control parameter. The 
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adaptive sampling controller 240 sets the value of N. In a preferred embodiment, the 
value of N is adjusted to start at a default value, and adaptively adjusted thereafter, as de- 
scribed herein. Thus, one out of every N packets is selected by the sampling element 220 
for further processing by the traffic management element 120. In a preferred embodi- 
ment, the default value of N is selected in response to the bandwidth of the packet input 
port. For example, the default value can be set to 400 for a 1 gigabit-per-second port, 40 
for a 100 megabit-per-second port, or 4 for a 10 megabit-per-second port. 

The system 200 appends those packets 113 selected by the sampling ele- 
ment 220 to the tail of the sampled packet queue 230. The sampled packet queue 230 is 
disposed to receive, store, and present packets 113 in a FIFO (first in first out) manner. 
FIFO queues are known in the art of computer programming. In a preferred embodiment, 
the sampled packet queue 230 stores only pointers to packets 113, or pointers to packet 
headers, and the original packets 113 or packet headers are stored in a memory. How- 
ever, the operation of the system for adaptively sampling packets is substantially similar 
regardless of whether the sampled packet queue 230 holds packets 113, packet headers, 
pointers thereto, or some related data structure. 

The sampled packet queue 230 is coupled to the adaptive sampling con- 
troller 240. The adaptive sampling controller 240 compares the length of the sampled 
packet queue 230 against a lower threshold 23 1 and an upper threshold 232. The adaptive 
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sampling controller 240 sets the value of the control parameter N responsive to this com- 
parison, and outputs the value of N to the sampling element 220. 

In a preferred embodiment, if the length is less than the lower threshold 
231, the adaptive sampling controller 240 decreases the value of the control parameter N 
(to sample more frequently). If the length is more than the upper threshold 232, the 
adaptive sampling controller 240 increases the value of the control parameter N (to sam- 
ple less frequently). Methods used by the adaptive sampling controller 240 are further 
described with regard to figure 3. However, in alternative embodiments, the adaptive 
sampling controller 240 may set the value of N responsive to other factors, including any 
of the following (or some combination thereof): 

o the actual length of the sampled packet queue 230; 

o an average length of the sampled packet queue 230 for some recent time period, or 
some other statistical parameter for that length, such as a maximum, minimum, 
median, or variance thereof; 

o an average number of sampled packets 1 13 received at the sampled packet queue 
230 for some recent time period, or some other statistical parameter for that num- 
ber, such as a maximum, minimum, median, or variance thereof; 
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1 o comparison of the actual or average length of the sampled packet queue 230, or the 

2 number of sampled packets 113 received at the sampled packet queue 230, with a 

3 further lower threshold (other than the lower threshold 231) or a further upper 

4 threshold (other than the upper threshold 232); 

5 

6 o the presence (or absence) of a packet 1 13 of a selected particular type (such as a 

7 special flag packet 1 13, a packet 1 13 using a known protocol such as FTP, or a 

8 multicast packet 113) received at the sampled packet queue 230, or present in the 

9 sampled packet queue 230, for some recent time period. 

10 

11 In a preferred embodiment, the adaptive sampling controller 240 described 



12 herein is disposed to prevent processor overloading of the traffic management element 

13 120, by sampling at a relatively less frequent rate when packets 1 1 3 are arriving relatively 

14 more often. However, in alternative embodiments, the adaptive sampling controller 240 

15 may be disposed for other and further purposes, such as the following: 

16 

170 to obtain a more accurate count of selected particular types of packets; 

18 

190 to specifically respond to expected types of network traffic (such as network traffic 
20 that is expected to be relatively bursty or relatively sparse); or 

21 
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o otherwise to adapt to either the frequency or type of packets 1 13 seen by the traffic 
management element 120. 

These alternative embodiments would be clear to those skilled in the art af- 
ter perusing this application, would not require undue experiment or further invention, 
and are within the scope and spirit of the invention. 

The sampled-packet output port 250 is coupled to the head of the sampled 
packet queue 230. The sampled-packet output port 250 couples the sampled packets 1 13 
to one or more packet type detectors 260. 

In a preferred embodiment, there is a plurality of packet type detectors 260, 
one for each of the selected packet types for which a frequency measurement is desired. 
Each packet type detector 260 counts the number of sampled packets 113 that have the 
selected packet type, of all those sampled packets 113 that are received. The total number 
of sampled packets 1 13 which are received is also counted, either at each packet type de- 
tector 260 or at a "universal" packet type detector 260, which counts all sampled packets 
113. 

Each packet type detector 260 is coupled to a corresponding frequency 
measure element 270, which determines an expected frequency of the selected packet 
type for all packets 113 in the network traffic, in response to the actual frequency of the 
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selected packet type for all sampled packets 113. Measurement techniques used by the 
frequency measure elements 270 are further described with reference to figure 3. 

Figure 3 shows a process flow diagram of a method for adaptively sampling 
packets and measuring expected frequencies for selected packet types. 

A method 300 for adaptively sampling packets and measuring expected fre- 
quencies for selected packet types includes a set of flow points and process steps as de- 
scribed herein. In a preferred embodiment, the traffic management element 120 (particu- 
larly the adaptive sampling controller 240 and the frequency measure elements 270) per- 
forms the method 300. 

At a flow point 310, the traffic management element 120 is ready to receive 
a sequence (or a continuation of a sequence) of packets 113. 

At a step 31 1, the traffic management element 120 sets the control parame- 
ter N (further described with regard to figure 2) to a preferred value of about N 0 , further 
described below, although values of N varying substantially from N 0 are also within the 
scope and spirit of the invention. 
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At a step 312, the traffic management element 120 receives a sequence of 
packets 113 and samples 1 out of N of those packets 113 using the sampling element 220 
to provide a stream of sampled packets 113. 

At a step 313, the traffic management element 120 queues the stream of 
sampled packets 1 13 using the sampled packet queue 230, and counts the actual number 
of packets of each selected type using the packet type detectors 260. 

At a step 314, the traffic management element 120 compares the length of 
the sampled packet queue 230 with the lower threshold 231 and with the upper threshold 
232. In a preferred embodiment, the lower threshold 23 1 is constant and substantially 
equals a control parameter A. The traffic management element 120 performs a step 315, 
a step 316, or a step 317, in response to the comparison, and continues with the step 312. 

If the length is less than the lower threshold 231, the traffic management 
element 120 performs the step 315. At the step 315, the traffic management element 120 
uses the adaptive sampling controller 240 to increase the value of the control parameter N 
by a factor of a, where a is a control parameter. The new control parameter N is main- 
tained for at least S new sample packets 113, where S is a control parameter. 

If the length is between the lower threshold 231 and the upper threshold 
232, the traffic management element 120 performs the step 316. In a preferred embodi- 
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ment, the upper threshold 232 is constant and substantially equals a control parameter B. 
At the step 316, does not adjust the control parameter N. 

If the length is more than the upper threshold 232, the traffic management 
element 120 performs the step 317. At the step 317, the traffic management element 120 
uses the adaptive sampling controller 240 to decrease the value of the control parameter N 
by a factor of p, where p is a control parameter. The new control parameter N is main- 
tained for at least S new sample packets 113, where S is the control parameter described 
above. 

In a preferred embodiment, the following values of the control parameters 

are used. 

N 0 about 400 (as described above) 

A about 15 

a about 2 

B about 30 

P about 2 

S about 10 

The inventors have found by simulation that these values of the control pa- 
rameters do not produce skew. 

17 
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However, in alternative embodiments, substantially different values for 
these control parameters may be used; such alternative embodiments would not require 
undue experiment or further invention, and are within the scope and spirit of the inven- 
tion. 

At a flow point 320, the traffic management element 120 is ready to com- 
pute a frequency measure of packets 1 13 of a selected particular type. 

In a preferred embodiment, the steps following the flow point 310 are per- 
formed in parallel with the steps following the flow point 320. Thus, operation of the 
sampling element 220 and the adaptive sampling controller 240 (to sample packets 1 13) is 
in parallel with operation of the packet type detectors 260 and their corresponding fre- 
quency measure elements 270 (to compute the frequency measure of packets 1 13 of each 
selected particular type). 

At a step 321, the packet type detector 260 for a first selected type K detects 
a packet 1 13 of that type K. 

At a step 322, the corresponding frequency measure element 270 for the 
first selected type K updates its counts of the estimated number of packets 1 13 of type K, 
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In a preferred embodiment, the following 



o 



o 



o 



count the estimated number of packets of type K 

variance the estimated variance of the count 



i 



n 



m 



the number of packets 

the value of / for the last sampled packet of type K 

the number of sampled packets 

the value of n for the last sampled packet of type K 



At a step 323, the frequency measure element 270 for the first selected type 
K determines an estimated count (from which an average frequency can be computed) for 
packets 113 of the selected type K, and a variance for the estimated count of packets 113 
of the selected type K, according to the following sub-steps: 

At a sub-step 323(a), a temporary value N temp is set equal to an estimated 
number of packets of type K which have passed by between this sampled packet of type K 
and the most recent previously sampled packet of type K. In a preferred embodiment, 
Ntemp is set equal to (/ -j) I (n - rri). 

At a sub-step 323(b), the estimated number of packets of type K is updated. 
In a preferred embodiment, count is set equal to count + N temp . 
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At a sub-step 323(c), the estimated variance is updated. In a preferred em- 
bodiment, if m < (n - 1) then variance is set equal to variance + 2 N temp . 

At a sub-step 323(d), the counts j and m are updated. In a preferred em- 
bodiment, m is set equal to n, and i is set equal toy. 

In a preferred embodiment, the best estimate of the count is count, and the 
best estimate of the 95% confidence interval is given by count ± 2 sqrt {variance) where 
sqrt is a square root function. 

Alternative Embodiments 

Although preferred embodiments are disclosed herein, many variations are 
possible which remain within the concept, scope, and spirit of the invention, and these 
variations would become clear to those skilled in the art after perusal of this application. 
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Claims 



1 . A method including steps for collecting aggregate information about 
network traffic while maintaining processor load relatively constant despite substantial 
variation in network traffic. 



2. A system including 

means for collecting aggregate information about network traffic; and 
means for maintaining processor load relatively constant for said means for 
collecting despite substantial variation in network traffic. 



3. A system, including 

an input port for receiving network packets; 

a sampling element for selecting a fraction of those packets for review, said 
sampling element including a feedback element for adaptively altering said fraction; 
a queue of selected packets; 
a packet-type detector coupled to said queue; and 
a frequency measurement element coupled to said packet-type detector. 

4. A system as in claim 3, wherein said feedback element is responsive 
to a length of said queue. 
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5. A system as in claim 3, wherein said feedback element is responsive 
to a load on said frequency measurement element. 

6. A system as in claim 3, wherein said feedback element is responsive 
to a frequency measure determined by said frequency measurement element. 

7. A method, including steps for sampling a set of packets at a network 
interface of a switch, said steps for sampling including steps for adaptively altering a 
fraction of said packets for selection. 

8. A method as in claim 7, wherein said steps for adaptively altering a 
fraction of said packets for selection include steps for 

maintaining a queue of selected packets; 

altering said fraction in response to a length of said queue. 

9. A method as in claim 7, wherein said steps for adaptively altering a 
fraction of said packets for selection include steps for 

measuring a frequency of packets of a known type within said selected 

packets; 

altering said fraction in response to a load imposed by said steps for meas- 
uring. 
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1 10. A method as in claim 7, wherein said steps for adaptively altering a 

2 fraction of said packets for selection include steps for altering said fraction in response to 

3 two or more factors responsive to said selected packets. 

4 

5 1 1 . A method as in claim 7, including steps for determining a frequency 

6 of packets of a known type within said selected packets. 

7 

8 12. A method as in claim 11, including steps for determining an error 

■%9 range for said measured frequency. 

Ho 

!J?1 13. A method as in claim 1 1, including steps for 

| £ 12 setting a control parameter; 

S3 

if! 3 sampling said received packets in response to said control parameter, to 

:- fi4 provide a queue of sampled packets; 

comparing a length of said queue with a threshold; 
16 altering said control parameter in response to said threshold. 

17 

18 14. A method as in claim 13, wherein said control parameter is a fraction 

19 of said received packets to sample for said queue. 

20 

21 15. A method as in claim 13, wherein said threshold includes at least one 

22 of: a lower bound for said length, an upper bound for said length. 



23 



CIS-044 



16. A method as in claim 13, wherein said threshold includes a lower 
bound for said length and said steps for altering said control parameter operate to 
lengthen said queue in response to said steps for comparing. 



17. A method as in claim 13, wherein 

said control parameter is a fraction of said received packets to sample for 

said queue; 

said threshold includes a lower bound for said length; and 
said steps for altering said control parameter decrease said control parame- 
ter in response to said steps for comparing. 



18. A method as in claim 13, wherein said threshold includes an upper 
bound for said length and said steps for altering said control parameter operate to shorten 
said queue in response to said steps for comparing. 



19. A method as in claim 13, wherein 

said control parameter is a fraction of said received packets to sample for 

said queue; 

said threshold includes an upper bound for said length; and 
said steps for altering said control parameter increase said control parameter 
in response to said steps for comparing. 
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20. A method as in claim 13, wherein said steps for altering said control 
parameter operate to maintain said control parameter constant for at least a selected num- 
ber of sampled packets. 

21. A method as in claim 13, wherein said steps for sampling do not 
produce skew. 
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Abstract of the Disclosure 

The invention provides a method and system for collecting aggregate in- 
formation about network traffic, while maintaining processor load relatively constant de- 
spite substantial variation in network traffic, and capable of substantially accurate fre- 
quency measurement even for relatively infrequent events. A packet monitoring system 
includes an input port for receiving network packets, a sampling element for selecting a 
fraction of those packets for review, and a queue of selected packets. The packets in the 
queue are coupled to a packet-type detector for detecting packets of a selected type; the 
system applies a measurement technique for determining a frequency measure for those 
detected packets. The system includes a feedback technique for adaptively altering the 
sampling rate fraction, responsive to the queue length and possibly other factors, such as 
processor load or the detected frequency measure. The measurement technique also de- 
termines an error range and a measure of confidence that the actual frequency is within 
the error range of the measured frequency. The system can detect packets of multiple se- 
lected types essentially simultaneously, and provide measured frequencies and error 
ranges for all of the multiple selected types at once. Also, the measurement technique is 
selected so as to impose relatively light processor load per packet. 
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